Vulnerabilities > CVE-2017-3248 - Remote Security vulnerability in Oracle WebLogic Server

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
oracle
nessus
exploit available
metasploit

Summary

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS v3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts).

Exploit-Db

descriptionOracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution. CVE-2017-3248. Webapps exploit for Multiple platform
fileexploits/multiple/webapps/44998.py
idEDB-ID:44998
last seen2018-07-10
modified2018-07-07
platformmultiple
port
published2018-07-07
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/44998/
titleOracle WebLogic 12.1.2.0 - RMI Registry UnicastRef Object Java Deserialization Remote Code Execution
typewebapps

Metasploit

descriptionAn unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object (sun.rmi.server.UnicastRef) to the interface to execute code on vulnerable hosts.
idMSF:EXPLOIT/MULTI/MISC/WEBLOGIC_DESERIALIZE_UNICASTREF
last seen2020-06-10
modified2019-04-01
published2018-12-16
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3248
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/misc/weblogic_deserialize_unicastref.rb
titleOracle Weblogic Server Deserialization RCE - RMI UnicastRef

Nessus

  • NASL familyMisc.
    NASL idORACLE_WEBLOGIC_SERVER_CPU_JAN_2017.NASL
    descriptionThe version of Oracle WebLogic Server installed on the remote host is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects by the RMI registry. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.
    last seen2020-03-18
    modified2017-01-18
    plugin id96610
    published2017-01-18
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96610
    titleOracle WebLogic Server Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include('compat.inc');
    
    if (description)
    {
      script_id(96610);
      script_version("1.15");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/13");
    
      script_cve_id("CVE-2017-3248");
      script_bugtraq_id(95465);
      script_xref(name:"TRA", value:"TRA-2017-07");
      script_xref(name:"ZDI", value:"ZDI-17-055");
    
      script_name(english:"Oracle WebLogic Server Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU)");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application server installed on the remote host is affected by a
    remote code execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Oracle WebLogic Server installed on the remote host is
    affected by a remote code execution vulnerability in the Core
    Components subcomponent due to unsafe deserialization of Java objects
    by the RMI registry. An unauthenticated, remote attacker can exploit
    this, via a crafted Java object, to execute arbitrary Java code in the
    context of the WebLogic server.");
      # http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?89a8e429");
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2017-07");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-055/");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the January 2017 Oracle
    Critical Patch Update advisory.");
      script_set_attribute(attribute:"agent", value:"all");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:X");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3248");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - RMI UnicastRef');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/18");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("oracle_weblogic_server_installed.nbin");
      script_require_keys("installed_sw/Oracle WebLogic Server");
    
      exit(0);
    }
    
    include('audit.inc');
    include('global_settings.inc');
    include('misc_func.inc');
    include('install_func.inc');
    include('spad_log_func.inc');
    
    app_name = 'Oracle WebLogic Server';
    
    install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
    ohome = install['Oracle Home'];
    subdir = install['path'];
    version = install['version'];
    
    fix = NULL;
    fix_ver = NULL;
    
    # individual security patches
    if (version =~ "^10\.3\.6\.")
    {
      fix_ver = '10.3.6.0.170117';
      # SU patch IDs found on:
      # https://support.oracle.com/epmos/faces/ui/patch/PatchDetail.jspx?_afrLoop=383735510156080&parent=DOCUMENT&patchId=24667634
      fix = make_list('XIDD', 'RVBS', 'JWEB');
    }
    else if (version =~ "^12\.1\.3\.")
    {
      fix_ver = '12.1.3.0.170117';
      fix = make_list('24904852');
    }
    else if (version =~ "^12\.2\.1\.0($|[^0-9])")
    {
      fix_ver = '12.2.1.0.170117';
      fix = make_list('24904865');
    }
    else if (version =~ "^12\.2\.1\.1($|[^0-9])")
    {
      fix_ver = '12.2.1.1.170117';
      fix = make_list('24907328');
    }
    else
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);
    
    spad_log(message:'checking fix [' + obj_rep(fix) + ']');
    PATCHED=FALSE;
    
    # Iterate over the list of patches and check the install for the patchID
    foreach id (fix)
    {
     spad_log(message:'Checking fix id: [' + id +']');
     if (install[id])
     {
       PATCHED=TRUE;
       break;
     }
    }
    
    VULN=FALSE;
    if (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)
      VULN=TRUE;
    
    if (PATCHED || !VULN)
      audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);
    
    os = get_kb_item('Host/OS');
    if ('windows' >< tolower(os))
    {
      port = get_kb_item('SMB/transport');
      if (!port) port = 445;
    }
    else port = 0;
    
    report =
      '\n  Oracle Home    : ' + ohome +
      '\n  Install path   : ' + subdir +
      '\n  Version        : ' + version +
      '\n  Fixes          : ' + join(sep:', ', fix);
    
    security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);
    
  • NASL familyWeb Servers
    NASL idWEBLOGIC_2017_3248.NASL
    descriptionThe remote Oracle WebLogic server is affected by a remote code execution vulnerability in the Core Components subcomponent due to unsafe deserialization of Java objects by the RMI registry. An unauthenticated, remote attacker can exploit this, via a crafted Java object, to execute arbitrary Java code in the context of the WebLogic server.
    last seen2020-06-01
    modified2020-06-02
    plugin id96803
    published2017-01-26
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96803
    titleOracle WebLogic Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96803);
      script_version("1.11");
      script_cvs_date("Date: 2019/11/13");
    
      script_cve_id("CVE-2017-3248");
      script_bugtraq_id(95465);
      script_xref(name:"TRA", value:"TRA-2017-07");
      script_xref(name:"ZDI", value:"ZDI-17-055");
    
      script_name(english:"Oracle WebLogic Java Object RMI Connect-Back Deserialization RCE (January 2017 CPU)");
      script_summary(english:"Sends a Java object to trigger an RMI Connect-Back.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Oracle WebLogic server is affected by a remote code
    execution vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote Oracle WebLogic server is affected by a remote code
    execution vulnerability in the Core Components subcomponent due to
    unsafe deserialization of Java objects by the RMI registry. An
    unauthenticated, remote attacker can exploit this, via a crafted Java
    object, to execute arbitrary Java code in the context of the WebLogic
    server.");
      # https://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#AppendixFMW
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c11efb84");
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2017-07");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-17-055/");
      script_set_attribute(attribute:"solution", value:
    "Apply the appropriate patch according to the January 2017 Oracle
    Critical Patch Update advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-3248");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - RMI UnicastRef');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/26");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("weblogic_detect.nasl", "t3_detect.nasl");
      script_require_ports("Services/t3", 7001);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("t3.inc");
    
    appname = "Oracle WebLogic Server";
    
    port = get_service(svc:'t3', default:7001, exit_on_fail:TRUE);
    
    # Try to talk T3 to the server
    sock = open_sock_tcp(port);
    if (!sock) audit(AUDIT_SOCK_FAIL, port);
    version = t3_connect(sock:sock, port:port);
    
    # send ident so we can move on to login
    t3_send_ident_request(sock:sock, port:port);
    
    # send our "login request"
    auth_request = '\x05\x65\x08\x00\x00\x00\x01\x00\x00\x00\x1b\x00\x00\x00\x5d\x01\x01\x00\x73\x72\x01\x78\x70\x73\x72\x02\x78\x70\x00\x00\x00\x00\x00\x00\x00\x00\x75\x72\x03\x78\x70\x00\x00\x00\x00\x78\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x75\x72\x04\x78\x70\x00\x00\x00\x0c\x9c\x97\x9a\x9a\x8c\x9a\x9b\xcf\xcf\x9b\x93\x9a\x74\x00\x08\x77\x65\x62\x6c\x6f\x67\x69\x63\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x02\x5b\x42\xac\xf3\x17\xf8\x06\x08\x54\xe0\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x10\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x56\x65\x63\x74\x6f\x72\xd9\x97\x7d\x5b\x80\x3b\xaf\x01\x03\x00\x03\x49\x00\x11\x63\x61\x70\x61\x63\x69\x74\x79\x49\x6e\x63\x72\x65\x6d\x65\x6e\x74\x49\x00\x0c\x65\x6c\x65\x6d\x65\x6e\x74\x43\x6f\x75\x6e\x74\x5b\x00\x0b\x65\x6c\x65\x6d\x65\x6e\x74\x44\x61\x74\x61\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00';
    # this is a java.rmi.registry.Registry. Successful deserialization of this object
    # could result in a connection to an external RMI registry. This object has an
    # IP/port hardcoded to 127.0.0.1 and 0 so that it will never connect out.
    auth_request += '\xac\xed\x00\x05\x73\x7d\x00\x00\x00\x01\x00\x1a\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x72\x65\x67\x69\x73\x74\x72\x79\x2e\x52\x65\x67\x69\x73\x74\x72\x79\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x72\x00\x2d\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72\x76\x65\x72\x2e\x52\x65\x6d\x6f\x74\x65\x4f\x62\x6a\x65\x63\x74\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x00\x00\x00\x00\x00\x00\x00\x02\x02\x00\x00\x78\x72\x00\x1c\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x73\x65\x72\x76\x65\x72\x2e\x52\x65\x6d\x6f\x74\x65\x4f\x62\x6a\x65\x63\x74\xd3\x61\xb4\x91\x0c\x61\x33\x1e\x03\x00\x00\x78\x70\x77\x32\x00\x0a\x55\x6e\x69\x63\x61\x73\x74\x52\x65\x66\x00\x09\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x00\x00\x00\x00\x00\x00\x00\x00\x6e\xd6\xd9\x7b\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78';
    auth_request += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x25\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x49\x6d\x6d\x75\x74\x61\x62\x6c\x65\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xdd\xcb\xa8\x70\x63\x86\xf0\xba\x0c\x00\x00\x78\x72\x00\x29\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x70\x72\x6f\x76\x69\x64\x65\x72\x2e\x42\x61\x73\x69\x63\x53\x65\x72\x76\x69\x63\x65\x43\x6f\x6e\x74\x65\x78\x74\xe4\x63\x22\x36\xc5\xd4\xa7\x1e\x0c\x00\x00\x78\x70\x77\x02\x06\x00\x73\x72\x00\x26\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6d\x69\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x4d\x65\x74\x68\x6f\x64\x44\x65\x73\x63\x72\x69\x70\x74\x6f\x72\x12\x48\x5a\x82\x8a\xf7\xf6\x7b\x0c\x00\x00\x78\x70\x77\x34\x00\x2eauthenticate\x28\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x73\x65\x63\x75\x72\x69\x74\x79\x2e\x61\x63\x6c\x2eUserInfo\x3b\x29\x00\x00\x00\x1b\x78\x78\xfe\x00\xff';
    send_t3(sock:sock, data:auth_request);
    
    # read in the response to our bad login request
    return_val = recv_t3(sock:sock);
    close(sock);
    
    if (isnull(return_val) ||
      preg(string:return_val, pattern:'\\$Proxy[0-9]+ cannot be cast to weblogic') == FALSE)
    {
      audit(AUDIT_INST_VER_NOT_VULN, appname, version);
    }
    
    report =
      '\nNessus was able to exploit a Java deserialization vulnerability by' +
      '\nsending a crafted Java object.' +
      '\n';
    security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);
    

Packetstorm

Seebug

bulletinFamilyexploit
description### 漏洞描述 黑客利用WebLogic 反序列化漏洞(CVE-2017-3248)和WebLogic WLS 组件漏洞(CVE-2017-10271)对企业服务器发起大范围远程攻击,有大量企业的服务器被攻陷,且被攻击企业数量呈现明显上升趋势,需要引起高度重视。其中,CVE-2017-10271是一个最新的利用Oracle WebLogic中WLS 组件的远程代码执行漏洞,属于没有公开细节的野外利用漏洞,大量企业尚未及时安装补丁。官方在 2017 年 10 月份发布了该漏洞的补丁。 该漏洞的利用方法较为简单,攻击者只需要发送精心构造的 HTTP 请求,就可以拿到目标服务器的权限,危害巨大。由于漏洞较新,目前仍然存在很多主机尚未更新相关补丁。预计在此次突发事件之后,很可能出现攻击事件数量激增,大量新主机被攻陷的情况。 攻击者能够同时攻击Windows及Linux主机,并在目标中长期潜伏。由于Oracle WebLogic的使用面较为广泛,攻击面涉及各个行业。此次攻击中使用的木马为典型的比特币挖矿木马。但该漏洞可被黑客用于其它目的攻击。 ### 影响版本 * Oracle Weblogic Server 10.3.6.0 * Oracle Weblogic Server 12.2.1.2 * Oracle Weblogic Server 12.2.1.1 * Oracle Weblogic Server 12.1.3.0
idSSV:97009
last seen2018-06-26
modified2017-12-22
published2017-12-22
reporterMy Seebug
sourcehttps://www.seebug.org/vuldb/ssvid-97009
titleOracle WebLogic wls-wsat RCE(CVE-2017-10271)